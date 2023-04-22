When Apple previews iOS 17—the iPhone’s next operating system—at its annual developers conference in June, it would be heartening to see the company introduce one major privacy feature that its users have needed for years: the ability to pick which contacts get uploaded when an app requests access to a user’s contact book. Right now, it’s all contacts or none, and that means that developers large and small can infer intimately personal details about a user’s life if the user chooses to grant the app access to their contact book.

After all, most of us probably have the phone number or email address of a teacher at our child’s school saved in our contacts, revealing where our children spend their days. We also likely have info for therapists or doctors we visit, as well as professional colleagues and financial advisers. Many of us even give these contacts straightforward labels such as “marriage counselor” or “financial adviser” or “oncologist,” revealing explicitly who’s who and how they relate to us, and perhaps even the medical conditions we have. We may even have information saved that reveals our political leaning, religion, or causes we’re passionate about—perhaps we have the contact information of a rabbi or a BLM organizer in our contacts book.

This information is a gold mine for major social media platforms and apps. It helps them build a social graph of who we know, which is then used by tech companies to serve us ads or content we might find interesting, increasing profits and engagement. But this data—which can contain the phone numbers, home addresses, and birthdays of the people we know and love—can also be sold by the app or platform to third parties. And, if the app’s systems are ever hacked, bad actors could find out everyone you know, making spoofing or identity theft much easier.

The weaponization of contact information

One horrible real-world example of how apps have abused a user’s contact information was detailed in a 2021 report from Vice. A man downloaded an instant loan app to get money to help him through a financially tough time. As part of the process, the app requested access to all of his phone’s data, including his saved contacts. He repaid his first loan on time, but when he failed to pay back a second loan on time due to his salary being delayed, a person associated with the loan app began sending embarrassing WhatsApp messages to the people in his contacts book, telling them that the man was a thief.